Beyond Fear, Uncertainty and Doubt: Making the case for OT resilience
OT security is important, right? I couldn’t agree more. But what about the way that OT security has taken over the last couple of years? Here is where things get murky. On the positive side, one cannot complain about the lack of attention that the topic has gotten and neither about a lack of venture capital funding for startup companies in the sector. So far, so good. But how much progress was made? How can it be that despite the fact that all the attention and budget OT security has received over the last decade, we are constantly warned about increasing threats and attacks? The answer is quite simple: The industry has mostly focused on threats rather than on other factors contributing to a more holistic or balanced OT security approach. It would look pretty distorted if we wanted to visualize this myopic fixation on threats in the well-known NIST Cyber Security Framework circle.
OT security has a myopic fixation on threat detection
How can an industry fueled with billions of dollars in venture capital become fixated on a tiny piece of the overall OT security problem? Ok, that’s a rhetorical question. The simple answer is that fear attracts attention because successfully luring customers into ICS Detection products and procedures (think SOC analysts sifting through false positive alerts) will lock these customers into dependence. No matter what you think about the importance of anomaly detection, one thing is for sure: There is no trajectory for continuous improvement. You always start from scratch with the next alleged threat actor and the next funny bytes in your network traffic. And vendors will do their best to keep fear levels up, especially when it comes to subscription renewal. For every one less prone to fearmongering, it is pretty straightforward that network anomaly detection and threat intelligence are not the be-all and end-all of OT security.
Are threat actors the root of all evil in OT security?
The root cause of deficient OT security is not hackers.?It’s the lack of cyber resilience.?Historically, every OT attack exploited basic and well-known flaws in network architecture and security protocol. And guess what? Insufficient cyber resilience even goes beyond creating attack surfaces. The reality is that hackers and malware are just one factor challenging the reliability of complex OT networks and not even the most important. Other non-malicious factors are far more critical because they impact operations almost on a daily basis. Even though the negative consequences of accidental misconfigurations, inefficient engineering procedures, missing version control, etc., far exceed the damage done by actual OT attacks, they don’t get as much attention. They are not dramatized by vendors, the media, and the government and, therefore, often ignored. A resilient OT architecture not only keeps the hackers out but also protects against accidental misconfiguration, configuration drift, and product obsolescence that catches you by surprise.
领英推荐
OT risk beyond hackers that you need to care about
The OTbase asset management system helps you on your journey towards OT resilience while at the same time allowing your engineers to achieve more with less. You can’t control hackers, but you can control the resilience of your OT installations. Or, as Master Yoda used to say, focus on what you can control and ignore the rest. Ok, I made this up, but I’m sure he would have said this when prompted. At least something like “On what you can control, focus you must. What you cannot control, not worry, should it you.”
The bottom line is this. OT security as we know it has vastly overplayed its hand with constant fearmongering in the blatant absence of confirmed successful cyber-physical attacks. It is time for a paradigm shift that brings us back to a more ROI-focused approach that addresses identification, protection, incident response, and recovery. Look at it this way. We didn’t see sophisticated cyber-physical attacks since Stuxnet. Not a single one. We see hundreds of opportunistic ransomware attacks that reach for the low-hanging fruit. The guiding light for what to prevent at this stage is no longer the catastrophic targeted cyber-physical attack executed by state-sponsored hackers but the identification and mitigation of vulnerabilities that make for the most?likelihood?of getting exploited. Is this achievable? Yes. Easily. Let’s stop the drama. Let’s stop the fixation on imaginary super hackers and start working on all the architectural flaws in OT infrastructures that have been known for decades. Some have called this “cyber hygiene.” I prefer “OT resilience,” as it also addresses neutral problem factors such as configuration drift, product obsolescence or even planned change. Reliable operation of our critical infrastructure, manufacturing, and other highly automated industries is too important to leave it to companies living off instilling fear, uncertainty, and doubt. It’s time to approach the problem with a more rational, engineering-oriented approach. That’s what OT resilience is all about.
To learn more about how the OTbase software can help you strenghten your OT resilience, check https://langner.com.
Advisor and Consultant
1 年Ralph; I agree completely. We have to accept that "sh*t happens" and that attacks and incidents will occur. If I were an asset owner (as I used to be) I would be less interested in anticipating the next "threat" than making sure that my systems had some resilience built in. This is a question of risk management (not threat awareness) and most asset owners are very familiar with the need for risk management. This is what they have done for years in managing risks associated with the production and distribution of hazardous materials, protection of their workforce in hazardous conditions, etc., etc. After all, even if there were no specific "threat" there is still a possibility (even likelihood) of cyber incidents arising from inadequate attention in normal operations. Not all incidents can be attributed to the proverbial "bad guy."
Semi Retired at Self directed
1 年Hmm I suspect many were trying to raise OT security about 16 yrs ago! Maybe time to celebrate the progression and keep moving forward to greater security- our communities require it of us!
Cyber-Physical Modeling and Simulations Technical Lead at Idaho National Laboratory
1 年Thank you Ralph
Head of Product Security at AVEVA
1 年+1 "start working on all the architectural flaws in OT infrastructures that have been known for decades." CISA CPGs filtered for OT appear to prioritize architectural elements. Here is an infogram constructed to highlight architectural focus areas using SANS description of architecture and benchmarked with Mitre ICS Att&ck. https://github.com/cisagov/cybersecurity-performance-goals/discussions/32
Managing Director at HENNSOL Technologies
1 年Ralph, I wholeheartedly agree with your perspective. Our customers are indeed well-versed in their pain points, and the media often exacerbates concerns through fearmongering. As an OT community, it's essential that we focus on presenting solutions grounded in robust engineering principles to address these challenges effectively.